US8880771B2ActiveUtilityPatentIndex 96
Method and apparatus for securing and segregating host to host messaging on PCIe fabric
Est. expiryOct 25, 2032(~6.3 yrs left)· nominal 20-yr term from priority
G06F 21/85G06F 13/4022G06F 2213/0026G06F 2221/2141G06F 2213/4004G06F 2221/2129G06F 2221/2149
96
PatentIndex Score
66
Cited by
18
References
23
Claims
Abstract
A PCIe fabric includes at least one PCIe switch. The fabric may be used to connect multiple hosts. The PCIe switch implements security and segregation measures for host-to-host message communication. A management entity defines a Virtual PCIe Fabric ID (VPFID). The VPFID is used to enforce security and segregation. The fabric ID may be extended to be used in switch fabrics with other point-to-point protocols.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method of operating a switch fabric having a point-to-point network protocol, the method comprising:
receiving an input from a switch fabric administrator defining subnets;
generating a virtual fabric ID (VFID) for at least one defined subnet;
tagging packets of outgoing messages from at least one host with the virtual fabric ID; and
determining if an incoming message to at least one host has a tag matching the virtual fabric ID;
wherein receive processing for incoming messages is supported if the tag of the incoming message matches an approved virtual fabric ID and the message is dropped within the switch if the tag does not match the approved virtual fabric ID.
2. The method of claim 1 , wherein the point-to-point protocol is PCI Express.
3. The method of claim 1 , wherein said tagging is performed via vendor defined messaging.
4. The method of claim 1 , wherein an error code is returned to a sender if the virtual fabric ID does not match.
5. The method of claim 1 , wherein said determining includes checking every host-to-host packet coming out of a port and dropping the packet unless it has been tagged with a valid virtual fabric ID.
6. The method of claim 5 , where said determining includes checking packets at each receiving port for a valid virtual fabric ID and dropping packets having invalid virtual fabric IDs.
7. The method of claim 1 , wherein the switch fabric includes virtual Direct Memory Access (DMA) engine functions for each port, wherein said receiving comprises: receiving from a fabric administrator one or more settings defining a relationship between VFIDs and DMA functions.
8. The method of claim 7 , wherein the settings include:
a single VFID/DMA function;
a multiple VFID mode on a per DMA function basis; and
a default setting having a single VFID and all DMA functions are set to this setting.
9. The method of claim 1 , further comprising translating an Ethernet Virtual Local Area Network (VLAN) to a corresponding VFID to permit Ethernet VLAN to be run over the fabric switch.
10. The method of claim 1 , further comprising generating at least one error message based at least in part on the tag not matching an approved VFID.
11. The method of claim 10 , wherein the at least one error message comprises a security violation notification.
12. A method of operating a switch fabric having a point-to-point network protocol, the method comprising:
generating a table defining a virtual fabric ID (VFID) for at least one defined subnet;
tagging packets of outgoing messages from at least one host with the virtual fabric ID; and
determining if an incoming message to at least one host has a tag matching the virtual fabric ID;
wherein receive processing for incoming messages is supported if the tag matches the virtual fabric ID and the message is dropped within the switch if the tag does not match the virtual fabric ID.
13. The method of claim 12 , wherein the point-to-point protocol is PCI Express.
14. The method of claim 12 , wherein said tagging is performed via vendor defined messaging.
15. The method of claim 12 , wherein an error code is returned to a sender if the virtual fabric ID does not match.
16. The method of claim 12 , wherein said determining includes checking every host-to-host packet coming out of a port and dropped the packet unless it has been tagged with a valid virtual fabric ID.
17. The method of claim 16 , where said determining includes checking at each receiving port for a valid virtual fabric ID and dropping packets having invalid tags.
18. The method of claim 12 , wherein the switch fabric includes virtual Direct Memory Access (DMA) engine functions for each port, wherein said receiving comprises: receiving from a fabric administrator one or more settings, including setting a relationship between VFIDs and DMA functions.
19. The method of claim 18 , wherein the settings include:
a single VFID/DMA function;
a multiple VFID mode on a per DMA function basis; and
a default setting having a single VFID and all DMA functions are set to this setting.
20. The method of claim 12 , further comprising translating an Ethernet Virtual Local Area Network (VLAN) to a corresponding VFID to permit Ethernet VLAN to be run over the fabric switch.
21. The method of claim 12 , further comprising generating at least one error message based at least in part on the tag not matching an approved VFID.
22. The method of claim 12 , wherein the at least one error message comprises a security violation notification.
23. A PCI express switch in connection with a management system, wherein a memory in the management system stores a table of virtual fabric IDs to enforce security and segregation of host-to-host message flows for hosts coupled to the PCI express switch.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.